(Apologies for reviving a month-old thread, but the example seems
relevant and worth documenting "don't do this" on.)
On 21/03/2013 22:25, Tim Draegen wrote:
On Mar 20, 2013, at 11:49 PM, John Levine <[email protected]> wrote:
For example, I now have a very
good idea how many NANOG subscribers get their mail at Gmail, Hotmail,
and Yahoo.
Before we (as a discussion list) jump to conclusions, can we be a bit more
rigorous in fleshing out what people are concerned about in terms of privacy?
It'll make the draft better.
For example, "privacy disaster waiting to blow up" sounds like someone needs to
jump on the grenade before DMARC explodes and kills everyone's privacy. Since this
appears be about DMARC allowing people to count how many list subscribers live at each
DMARC-enabled provider, what are the privacy implications? Hyperbole aside, is there
anything there?
I'll take a stab at fleshing this out:
- I no longer have to talk to the list admin and ask for these
statistics.
- I don't have to pay anyone for these numbers.
- I can determine how many list lurkers are Out There.
That wasn't very satisfying. Where is the disaster?
Here's a worse example from a large webmail provider (who has since
stopped doing this!) that resulted from a post I made to a mailing list
in December (this is the second section of the ARF message):
Content-Type: message/feedback-report
Feedback-Type: auth-failure
User-Agent: XMR/2.2
Version: 1.0
Original-Mail-From: <[email protected]>
Original-Rcpt-To: [email protected]
Arrival-Date: Mon, 17 Dec 2012 01:43:02 -0800
Message-ID: <[email protected]>
Authentication-Results: example.com; spf=temperror (sender IP is 138.25.6.16;
identity alignment result is fail and alignment mode is relaxed)
[email protected]; dkim=fail (identity alignment result
is pass and alignment mode is relaxed) header.d=raz.cx; x-hmca=none
Source-IP: 138.25.6.16
Auth-Failure: signature
Reported-Domain: raz.cx
DKIM-Domain: raz.cx
DKIM-Identity: @raz.cx
DKIM-Selector: 20120325
This is a copy+paste from the message source, except that I replaced the
subscriber's _*real*_ addresses with [email protected] (and the
organisation's domain with example.com in Authentication-Results). This
specific issue is called out in RFC5965 8.5 but was missed by this
organisation.
Given that DMARC failure reports are usually sent to someone other than
the netblock owner from which the message was received by the reporter,
this concern might be worth banging on a bit harder in specification
and/or implementation docs. (The "you probably don't want to send
failure reports to people you don't have an NDA with" argument is also
relevant, of course.)
- Roland
--
Roland Turner | Director, Labs
TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693
Mobile: +65 96700022 | Skype: roland.turner
[email protected] | http://www.trustsphere.com/
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
